Table of Contents
This was posted originally on 2018. Updated few.
Why this topic?
SSH, secure shell, is a network protocol used to access remote Linux machine. You can execute commands on the remote server by connecting using SSH protocol.
SSH, it’s an important part in a Linux based technical interview. Both newbies and experienced techs can follow up this post for their interviews!
It is very vast and interesting topic. Prepare SSH clearly and attend the interview with cent percent confident 🙂
Question 1 : What is SSH?
Ans : Secure Shell protocol is abbreviated as SSH. It is a secure and most commonly using protocol to access remote servers. This protocol uses encryption while transferring data between two hosts.
Question 2 : What is the default port number for SSH?
Ans : 22
Question 3 : What is the configuration file for SSH server?
Ans : The configuration file for SSH server is “/etc/ssh/sshd_config.”
Question 4 : What is the configuration file for SSH client?
Ans : The configuration file for SSH client is “/etc/ssh/ssh_config.”
Question 5 : Is it possible to change the default SSH port number?
Ans : Yeah, everyone knows the default port number of SSH and which is port 22. As a security measure, you have to change the port number from 22 to some other open ports. Yeh!! It is possible.
Please see the steps pasted below to change the default SSH port from 22:
Step 1 : Log into the server as root user.
Step 2 : Open SSH configuration file with your favorite text editor.
# vi /etc/ssh/sshd_config
Step 3 : Search the directive “Port.”
Step 4 : Change its value to some other non-engaged port number, like 2022.
Step 5 : Save the file.
Step 6 : Restart SSH daemon.
# service sshd restart
Question 6 : How to access your server over SSH without the actual root password? Is it possible?
Ans : Of-course, it is possible. In the remote server, there is a file called “authorized_keys” under the users’ home directory to add our public keys. For root, this file is located under “/root/.ssh” directory.
Generate keys from your local machine and upload it this file. You can create your own key pair using the command “ssh-keygen” from your Linux machine. For windows, you can use puttygen for private public keys.
# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: d4:47:78:cf:41:75:eb:59:cc:67:b2:6d:1a:20:c0:2d [email protected] The key's randomart image is: +--[ RSA 2048]----+ | ... .....o| | Eoo.. .oo| | ..o.oo.o*| | . o .+=+| | S ooo| | + | | . | | | | | +-----------------+
Add the public key into authorized_keys file and restart SSH daemon. That’s it!
Question 7 : For some security reason, you need to disable the direct root login to your server? What would you do?
Ans : If you are continuously facing any root level login attack, and you want to disable complete root login to your server. Yeah, it is possible. There is a directive in SSH configuration file to manage it. The configuration file is pasted below:
Change its value from “yes” to “no.” Then restart SSH daemon.
Question 8 : Consider the scenario, I want to disable direct root login and only enable access for my user only to server shell. How would you tweak SSH conf for this?
Ans : Simply open the SSH configuration with your favorite text editor and disable root login. This can be achieved by following the Question 7.
Then search for the directive “AllowUsers” in configuration file. If it is not there, add it and specify the username there.
AllowUsers user1 user2
That’s it! Don’t forget to restart the SSH daemon 🙂
Question 9 : Like AllowUsers, is it possible to manage access to server for Linux Groups?
Yeah, you can manage it by using the directive “AllowGroups.”
AllowGroups group_1 group_2
Question 10 : Okay, you successfully allowed some users and groups. Now I want to block one particular user/users and group from access SSH. How will you tweak SSH configuration for this?
Ans : Like AllowUsers and AllowGroups, you can deny a user/users and group/groups by using the following directive:
DenyUsers user1 user2 DenyGroups group1 group2
Question 11 : What is the difference between SSH and Telnet? What you prefer? And why?
Ans : Both SSH and Telnet are network protocol to connect and communicate with another machine over n/w. I prefer SSH.
|Port 22||Port 23|
|communication between client & server is encrypted.||Not encrypted (plain text).|
|SSH uses a public key for authentication.||Telnet does not use any authentication.|
|Secure||Not secure compared to SSH|
Question 12 : How to enable debugging in ssh command?
Ans : To enable debugging mode, use the switch “v” along with your normal SSH command. To increase the debugging level just increase the number of v’s. Please see the example:
# ssh user@host -v
Question 13 : Please explain the different protocols for SSH communication.
Ans : SSH has two protocols, Protocol 1 and Protocol 2. Protocol 1 is less secure and old. We use Protocol 2 now-a-days! You can set/change it from the SSH configuration file.
Question 14 : How to check SSH server’s version details from Linux commandline?
Ans : You can find the SSH server version by executing the following command:
# ssh -V
# ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
Question 15 : Okay, you can connect to remote host using SSH command. How would you copy files using SSH? Is it possible?
Ans : Yes, it is possible. SCP is the command used to transfer files over n/w securely. SCP is based on SSH protocol and it uses the SSH port by default.
scp root@host:/home/crybit/* /home/crybit
The above command securely copy all files from /home/crybit/ on remote host to source machine’s /home/crybit directory.
Question 16 : Your SSH port is non default, in this case, whether the above SCP copy command works or not?
Nope, it will not! We need to specify the actual SSH port number for SCP connection. You can use the switch -P to specify your non default SSH port.
scp -P 2201 root@host:/home/crybit/* /home/crybit
Where 2201 is the SSH port.
Question 17 : What is abbreviated as SCP?
Ans : SCP stands for Secure Copy.
Question 18 : Did you hear about blowfish?
Ans : Blowfish is used with SCP command. It uses to increase the transfer speed. By default scp uses the Triple-DES cipher to encrypt the data being copied.
scp -c blowfish root@host:/home/crybit/* /home/crybit
Question 19 : Can you briefly explain the working of SCP?
Ans : SCP stands for Secure Copy. It transfer files over n/w securely. SCP is based on SSH protocol and it uses the SSH port by default.
1. Client initiates an SSH connection to the remote host, and requests an SCP process to be started on the remote host.
2. Remote SCP process can operate in two modes.
2.1 Source mode
In this mode, SCP on remote host read files from HDD and send them back to the client machine.
2.3 Sink mode
Which accept the files sent by the client and write them to the disk on the remote host.
Syntax is same as the base Linux copy command.
Question 20 : Commonly using SCP switches?
Ans : We already explained the “P” and “-c blowfish” switches usages. Other commonly using switches are “r” “p” and “u.”
-p : Preserves modification times, access times, and modes from the original file. -r : Recursively copy entire directories. Note that scp follows symbolic links encountered in the tree traversal. -U : Remove source files after coping them to the destination.
Question 21 : What is “AddressFamily” directive in SSH configuration stands for?
Ans : This directive is used to limit the SSH access to specific subnet. It will increase the security again. No one other than the given subnet network can’t access the server over SSH.
Step 1 : Open the configuration file using your favorite text editor.
Step 2 : Search for “AddressFamily”
Step 3 : Add your preferred sub net details.
Step 4 : Restart SSH daemon.
Question 22 : Did you hear the command “sshpass?”
Ans : Yeah! sshpass is a command which allows us to supply password to the Linux CLI, command line interface.
It helps to supply SSH password in automation scripts.
# sshpass -p PaSsWoRd ssh [email protected]
Question 23 : What is Listen Address in SSH configuration?
Ans : This directive specify which interfaces on the server is ready for connections from outside the n/w. Consider the scenario, your server has 6 different IP addresses and you want to configure SSH in such a way that, only permit SSH access to a particular IP address.
How to do this?
Step 1 : Open SSH configuration file.
Step 2 : Add the IP address:
ListenAddress 125.120.11.00 (Example)
Step 3 : Restart SSH daemon.
Question 24 : What purpose is assigned for “LoginGraceTime?”
Ans : By default, its value is 2 minutes. Which means when you access the server using SSH, you have 2 minutes to complete the connection with exact credentials.
Question 25 : What purpose is assigned for “MaxAuthTries?”
Ans : Which defines the maximum number of allowed failed login attempt from a n/w.
Question 26 : How to restart SSH daemon?
Ans : CentOS/RHEL version upto 6
# /etc/init.d/sshd restart Or # service sshd restart
Latest version 7
# service sshd restart
Question 27 : How to check the SSH daemon’s status?
Ans : CentOS/RHEL version upto 6
# /etc/init.d/sshd status Or # service sshd status
Latest version 7
# service sshd status
Question 28 : How to limit the bandwidth used by scp command?
Ans : This can be done by using the “l” switch. Syntax is pasted below:
# scp -l bandwidth_limit root@host:/home/crybit/* /home/crybit
Question 29 : How to create a banner to display texts when logging into the server via SSH?
Ans :In SSH configuration file, there is a directive to specify the banner file. This directive is “Banner.”
How to do it?
Step 1 : SSH to server as root user.
Step 2 : Create a file with preferred texts anywhere.
# vi /etc/ssh/mybanner.txt This server is for authenticated users... Your activities are under surveillance.
Step 3 : Open SSH configuration file.
Step 4 : Search for “Banner.”
Step 5 : Add the file location:
Step 6 : Restart SSH daemon.
Question 30 : What do you mean by SSH cipher? What are the different types of ciphers in SSH?
Ans : Cipher is an algorithm to perform encryption and decryption. Different types of cipher supported by SSH are:
blowfish des 3des
Question 31 : How do you access GUI using SSH connection?
Ans : SSH will also support of transferring X11 forwarding, we have to use options called -XY to open server GUI app from client.
Please let me know your suggestions as comments.